From 82f90419f3ebae01ec953cb6eb7ad164767ab43a Mon Sep 17 00:00:00 2001 From: gshapiro Date: Mon, 3 Mar 2003 17:18:01 +0000 Subject: Fix conflicts from sendmail 8.12.8 import --- contrib/sendmail/src/headers.c | 282 ++++++++++++++++++++++++++--------------- 1 file changed, 180 insertions(+), 102 deletions(-) (limited to 'contrib/sendmail/src/headers.c') diff --git a/contrib/sendmail/src/headers.c b/contrib/sendmail/src/headers.c index 5d90344..d9966b1 100644 --- a/contrib/sendmail/src/headers.c +++ b/contrib/sendmail/src/headers.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998-2001 Sendmail, Inc. and its suppliers. + * Copyright (c) 1998-2003 Sendmail, Inc. and its suppliers. * All rights reserved. * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. * Copyright (c) 1988, 1993 @@ -13,9 +13,9 @@ #include -SM_RCSID("@(#)$Id: headers.c,v 8.266.4.2 2002/09/23 23:42:02 ca Exp $") +SM_RCSID("@(#)$Id: headers.c,v 8.266.4.4 2003/01/18 00:41:48 gshapiro Exp $") -static size_t fix_mime_header __P((char *)); +static size_t fix_mime_header __P((HDR *, ENVELOPE *)); static int priencode __P((char *)); static void put_vanilla_header __P((HDR *, char *, MCI *)); @@ -676,8 +676,8 @@ eatheader(e, full, log) if (buf[0] != '\0') { if (bitset(H_FROM, h->h_flags)) - expand(crackaddr(buf), buf, sizeof buf, - e); + expand(crackaddr(buf, e), + buf, sizeof buf, e); h->h_value = sm_rpool_strdup_x(e->e_rpool, buf); h->h_flags &= ~H_DEFAULT; } @@ -998,7 +998,11 @@ priencode(p) ** it and replaces it with "$g". The parse is totally ad hoc ** and isn't even guaranteed to leave something syntactically ** identical to what it started with. However, it does leave -** something semantically identical. +** something semantically identical if possible, else at least +** syntactically correct. +** +** For example, it changes "Real Name (Comment)" +** to "Real Name <$g> (Comment)". ** ** This algorithm has been cleaned up to handle a wider range ** of cases -- notably quoted and backslash escaped strings. @@ -1007,6 +1011,7 @@ priencode(p) ** ** Parameters: ** addr -- the address to be cracked. +** e -- the current envelope. ** ** Returns: ** a pointer to the new version. @@ -1019,28 +1024,50 @@ priencode(p) ** be copied if it is to be reused. */ +#define SM_HAVE_ROOM ((bp < buflim) && (buflim <= bufend)) + +/* +** Append a character to bp if we have room. +** If not, punt and return $g. +*/ + +#define SM_APPEND_CHAR(c) \ + do \ + { \ + if (SM_HAVE_ROOM) \ + *bp++ = (c); \ + else \ + goto returng; \ + } while (0) + +#if MAXNAME < 10 +ERROR MAXNAME must be at least 10 +#endif /* MAXNAME < 10 */ + char * -crackaddr(addr) +crackaddr(addr, e) register char *addr; + ENVELOPE *e; { register char *p; register char c; - int cmtlev; - int realcmtlev; - int anglelev, realanglelev; - int copylev; - int bracklev; - bool qmode; - bool realqmode; - bool skipping; - bool putgmac = false; - bool quoteit = false; - bool gotangle = false; - bool gotcolon = false; + int cmtlev; /* comment level in input string */ + int realcmtlev; /* comment level in output string */ + int anglelev; /* angle level in input string */ + int copylev; /* 0 == in address, >0 copying */ + int bracklev; /* bracket level for IPv6 addr check */ + bool addangle; /* put closing angle in output */ + bool qmode; /* quoting in original string? */ + bool realqmode; /* quoting in output string? */ + bool putgmac = false; /* already wrote $g */ + bool quoteit = false; /* need to quote next character */ + bool gotangle = false; /* found first '<' */ + bool gotcolon = false; /* found a ':' */ register char *bp; char *buflim; char *bufhead; char *addrhead; + char *bufend; static char buf[MAXNAME + 1]; if (tTd(33, 1)) @@ -1055,25 +1082,22 @@ crackaddr(addr) ** adjusted later if we find them. */ + buflim = bufend = &buf[sizeof(buf) - 1]; bp = bufhead = buf; - buflim = &buf[sizeof buf - 7]; p = addrhead = addr; - copylev = anglelev = realanglelev = cmtlev = realcmtlev = 0; + copylev = anglelev = cmtlev = realcmtlev = 0; bracklev = 0; - qmode = realqmode = false; + qmode = realqmode = addangle = false; while ((c = *p++) != '\0') { /* - ** If the buffer is overful, go into a special "skipping" - ** mode that tries to keep legal syntax but doesn't actually - ** output things. + ** Try to keep legal syntax using spare buffer space + ** (maintained by buflim). */ - skipping = bp >= buflim; - - if (copylev > 0 && !skipping) - *bp++ = c; + if (copylev > 0) + SM_APPEND_CHAR(c); /* check for backslash escapes */ if (c == '\\') @@ -1088,8 +1112,8 @@ crackaddr(addr) p--; goto putg; } - if (copylev > 0 && !skipping) - *bp++ = c; + if (copylev > 0) + SM_APPEND_CHAR(c); goto putg; } @@ -1097,8 +1121,14 @@ crackaddr(addr) if (c == '"' && cmtlev <= 0) { qmode = !qmode; - if (copylev > 0 && !skipping) + if (copylev > 0 && SM_HAVE_ROOM) + { + if (realqmode) + buflim--; + else + buflim++; realqmode = !realqmode; + } continue; } if (qmode) @@ -1110,15 +1140,15 @@ crackaddr(addr) cmtlev++; /* allow space for closing paren */ - if (!skipping) + if (SM_HAVE_ROOM) { buflim--; realcmtlev++; if (copylev++ <= 0) { if (bp != bufhead) - *bp++ = ' '; - *bp++ = c; + SM_APPEND_CHAR(' '); + SM_APPEND_CHAR(c); } } } @@ -1128,7 +1158,7 @@ crackaddr(addr) { cmtlev--; copylev--; - if (!skipping) + if (SM_HAVE_ROOM) { realcmtlev--; buflim++; @@ -1139,7 +1169,7 @@ crackaddr(addr) else if (c == ')') { /* syntax error: unmatched ) */ - if (copylev > 0 && !skipping) + if (copylev > 0 && SM_HAVE_ROOM) bp--; } @@ -1157,7 +1187,7 @@ crackaddr(addr) /* ** Check for DECnet phase IV ``::'' (host::user) - ** or ** DECnet phase V ``:.'' syntaxes. The latter + ** or DECnet phase V ``:.'' syntaxes. The latter ** covers ``user@DEC:.tay.myhost'' and ** ``DEC:.tay.myhost::user'' syntaxes (bletch). */ @@ -1166,10 +1196,10 @@ crackaddr(addr) { if (cmtlev <= 0 && !qmode) quoteit = true; - if (copylev > 0 && !skipping) + if (copylev > 0) { - *bp++ = c; - *bp++ = *p; + SM_APPEND_CHAR(c); + SM_APPEND_CHAR(*p); } p++; goto putg; @@ -1180,41 +1210,43 @@ crackaddr(addr) bp = bufhead; if (quoteit) { - *bp++ = '"'; + SM_APPEND_CHAR('"'); /* back up over the ':' and any spaces */ --p; - while (isascii(*--p) && isspace(*p)) + while (p > addr && + isascii(*--p) && isspace(*p)) continue; p++; } for (q = addrhead; q < p; ) { c = *q++; - if (bp < buflim) + if (quoteit && c == '"') { - if (quoteit && c == '"') - *bp++ = '\\'; - *bp++ = c; + SM_APPEND_CHAR('\\'); + SM_APPEND_CHAR(c); } + else + SM_APPEND_CHAR(c); } if (quoteit) { if (bp == &bufhead[1]) bp--; else - *bp++ = '"'; + SM_APPEND_CHAR('"'); while ((c = *p++) != ':') - { - if (bp < buflim) - *bp++ = c; - } - *bp++ = c; + SM_APPEND_CHAR(c); + SM_APPEND_CHAR(c); } /* any trailing white space is part of group: */ - while (isascii(*p) && isspace(*p) && bp < buflim) - *bp++ = *p++; + while (isascii(*p) && isspace(*p)) + { + SM_APPEND_CHAR(*p); + p++; + } copylev = 0; putgmac = quoteit = false; bufhead = bp; @@ -1223,10 +1255,7 @@ crackaddr(addr) } if (c == ';' && copylev <= 0 && !ColonOkInAddr) - { - if (bp < buflim) - *bp++ = c; - } + SM_APPEND_CHAR(c); /* check for characters that may have to be quoted */ if (strchr(MustQuoteChars, c) != NULL) @@ -1254,42 +1283,45 @@ crackaddr(addr) /* oops -- have to change our mind */ anglelev = 1; - if (!skipping) - realanglelev = 1; + if (SM_HAVE_ROOM) + { + if (!addangle) + buflim--; + addangle = true; + } bp = bufhead; if (quoteit) { - *bp++ = '"'; + SM_APPEND_CHAR('"'); /* back up over the '<' and any spaces */ --p; - while (isascii(*--p) && isspace(*p)) + while (p > addr && + isascii(*--p) && isspace(*p)) continue; p++; } for (q = addrhead; q < p; ) { c = *q++; - if (bp < buflim) + if (quoteit && c == '"') { - if (quoteit && c == '"') - *bp++ = '\\'; - *bp++ = c; + SM_APPEND_CHAR('\\'); + SM_APPEND_CHAR(c); } + else + SM_APPEND_CHAR(c); } if (quoteit) { if (bp == &buf[1]) bp--; else - *bp++ = '"'; + SM_APPEND_CHAR('"'); while ((c = *p++) != '<') - { - if (bp < buflim) - *bp++ = c; - } - *bp++ = c; + SM_APPEND_CHAR(c); + SM_APPEND_CHAR(c); } copylev = 0; putgmac = quoteit = false; @@ -1301,13 +1333,14 @@ crackaddr(addr) if (anglelev > 0) { anglelev--; - if (!skipping) + if (SM_HAVE_ROOM) { - realanglelev--; - buflim++; + if (addangle) + buflim++; + addangle = false; } } - else if (!skipping) + else if (SM_HAVE_ROOM) { /* syntax error: unmatched > */ if (copylev > 0) @@ -1316,7 +1349,7 @@ crackaddr(addr) continue; } if (copylev++ <= 0) - *bp++ = c; + SM_APPEND_CHAR(c); continue; } @@ -1324,30 +1357,42 @@ crackaddr(addr) putg: if (copylev <= 0 && !putgmac) { - if (bp > bufhead && bp[-1] == ')') - *bp++ = ' '; - *bp++ = MACROEXPAND; - *bp++ = 'g'; + if (bp > buf && bp[-1] == ')') + SM_APPEND_CHAR(' '); + SM_APPEND_CHAR(MACROEXPAND); + SM_APPEND_CHAR('g'); putgmac = true; } } /* repair any syntactic damage */ - if (realqmode) + if (realqmode && bp < bufend) *bp++ = '"'; - while (realcmtlev-- > 0) + while (realcmtlev-- > 0 && bp < bufend) *bp++ = ')'; - while (realanglelev-- > 0) + if (addangle && bp < bufend) *bp++ = '>'; - *bp++ = '\0'; - + *bp = '\0'; + if (bp < bufend) + goto success; + + returng: + /* String too long, punt */ + buf[0] = '<'; + buf[1] = MACROEXPAND; + buf[2]= 'g'; + buf[3] = '>'; + buf[4]= '\0'; + sm_syslog(LOG_ALERT, e->e_id, + "Dropped invalid comments from header address"); + + success: if (tTd(33, 1)) { sm_dprintf("crackaddr=>`"); xputs(buf); sm_dprintf("'\n"); } - return buf; } /* @@ -1412,7 +1457,7 @@ putheader(mci, hdr, e, flags) { size_t len; - len = fix_mime_header(h->h_value); + len = fix_mime_header(h, e); if (len > 0) { sm_syslog(LOG_ALERT, e->e_id, @@ -1455,13 +1500,28 @@ putheader(mci, hdr, e, flags) if (shorten_rfc822_string(h->h_value, MaxMimeHeaderLength)) { - sm_syslog(LOG_ALERT, e->e_id, - "Truncated long MIME %s header (length = %ld) (possible attack)", - h->h_field, (unsigned long) len); - if (tTd(34, 11)) - sm_dprintf(" truncated long MIME %s header (length = %ld) (possible attack)\n", - h->h_field, - (unsigned long) len); + if (len < MaxMimeHeaderLength) + { + /* we only rebalanced a bogus header */ + sm_syslog(LOG_ALERT, e->e_id, + "Fixed MIME %s header (possible attack)", + h->h_field); + if (tTd(34, 11)) + sm_dprintf(" fixed MIME %s header (possible attack)\n", + h->h_field); + } + else + { + /* we actually shortened header */ + sm_syslog(LOG_ALERT, e->e_id, + "Truncated long MIME %s header (length = %ld) (possible attack)", + h->h_field, + (unsigned long) len); + if (tTd(34, 11)) + sm_dprintf(" truncated long MIME %s header (length = %ld) (possible attack)\n", + h->h_field, + (unsigned long) len); + } } } @@ -1856,7 +1916,8 @@ copyheader(header, rpool) ** to MaxMimeFieldLength. ** ** Parameters: -** string -- the full header +** h -- the header to truncate/rebalance +** e -- the current envelope ** ** Returns: ** length of last offending field, 0 if all ok. @@ -1866,15 +1927,16 @@ copyheader(header, rpool) */ static size_t -fix_mime_header(string) - char *string; +fix_mime_header(h, e) + HDR *h; + ENVELOPE *e; { - char *begin = string; + char *begin = h->h_value; char *end; size_t len = 0; size_t retlen = 0; - if (string == NULL || *string == '\0') + if (begin == NULL || *begin == '\0') return 0; /* Split on each ';' */ @@ -1889,7 +1951,23 @@ fix_mime_header(string) /* Shorten individual parameter */ if (shorten_rfc822_string(begin, MaxMimeFieldLength)) - retlen = len; + { + if (len < MaxMimeFieldLength) + { + /* we only rebalanced a bogus field */ + sm_syslog(LOG_ALERT, e->e_id, + "Fixed MIME %s header field (possible attack)", + h->h_field); + if (tTd(34, 11)) + sm_dprintf(" fixed MIME %s header field (possible attack)\n", + h->h_field); + } + else + { + /* we actually shortened the header */ + retlen = len; + } + } /* Collapse the possibly shortened string with rest */ bp = begin + strlen(begin); -- cgit v1.1